Skip Navigation

Mobile Devices

Mobile devices generally consist of cell phones, tablets, and similar portable technology that we normally carry with us. These devices are designed for surveillance from the ground up, since they normally include cameras, wireless connectivity, and a restricted software stack that makes it difficult to install ad blockers and improve privacy settings.

Page Contents

The Advertising ID, Revisited

Recall from the section on Internet Tracking that mobile browsers have access to an advertising identifier that can function as a type of zombie cookie. This identifier, which is also called a mobile advertising ID (MAID), is actually worse than a zombie cookie. Every installed app on the device has access to this identifier, not just the browser. These apps often contain tracking code, and they have more privileged access to location data than does a website in the mobile browser. Consequently, services like Babel Street’s Locate X allow a phone to be geographically tracked using only the MAID.1 Since the phone is tied to an individual, any person can be tracked if the advertising identifier of their device is known.

Since Locate X is available to just about anyone willing to pay for access, this service can be used for the targeted tracking of an individual. Furthermore, nothing stops law enforcement agencies from purchasing access to this service and tracking an individual without first needing to obtain a warrant.2 Since a person who is using an Android or iOS device that contains a MAID has voluntarily consented to the commercial use of their data, and the privacy policies of the various apps give voluntary consent to track users, there are likely no Fourth Amendment implications to police use of these data. This loophole is especially concerning for women, since the police could use information from period tracking apps, shopping apps, and Internet searches to identify pregnancies. Data from a service like Locate X could then associate pregnant women with the locations of out-of-state abortion clinics, allowing criminal charges to be brought in a woman’s home state if abortion is illegal there.3

Shopping Apps

Men are not immune to being tracked and having their locations and habits monitored through their phones. Retailers, in particular, are interested in tracking everyone inside their stores. They can make extra money by selling information about what sections of a store a person frequents, what kinds of products they purchase, and so forth. Since most people would likely find someone following them around a store to be a bit creepy, the retail industry has adopted a quiet approach in which they try to ease people into being tracked in-store. Their ploy is to convince people to install the retail store’s app on their phone in exchange for discounts provided exclusively through the app.4

Within the store, the retailer has two options for tracking a person’s movements. The first, and more precise, option is to use a Bluetooth beacon to connect the phone to transceivers placed throughout the store. Due to the relatively short range of Bluetooth signals, it is practical to hide transceivers in shelves and other places that allow more precise tracking. Bluetooth tracking requires the retailer’s app to be installed on the phone in order to work around system permissions that would otherwise prohibit it.5

The second way that a retail store can track a shopper’s phone uses WiFi signals. This approach is less accurate, but it does not require a person to have the store’s app installed. WiFi-enabled devices constantly sent out scanning messages, which WiFi access points in the store can monitor and triangulate to an approximate location. Location accuracy can be somewhat improved if the device maintains an active connection, so many stores will provide “free” WiFi for this purpose. Since not all devices randomize the Media Access Control (MAC) address that is assigned to the WiFi chip at manufacturing time, it is often possible to establish a persistent unique identifier from this address alone.6

Mitigation

In order to have effective mitigation from the threats posed by mobile devices, it is necessary to switch the device’s stock operating system from the manufacturer-supplied one to an open-source, third party distribution. In practice, this type of mitigation is only possible on Android devices, and even then only on those phones and tablets where the bootloader can be unlocked to install something like GrapheneOS7 or LineageOS.8 Google Play Services (and Google apps) must not be installed, except perhaps by using a work profile on GrapheneOS, which can run Play Services inside an unprivileged sandbox.9

If it isn’t possible or feasible to purchase a mobile device capable of running a third-party Android distribution, then the next best mitigation approach is to avoid installing apps on factory Android or iOS devices. Each installed app increases the privacy (and security) attack surface, since each app includes its own library of surveillance features. Fully open-source apps that usually do not contain tracking capabilities are available for Android devices via alternative app stores like F-Droid.10 At the very least, mitigating privacy threats on mobile devices requires some behavioral changes. Do not use social media of any kind from a mobile device, and do not use your phone to look at porn. Instead, use a laptop or desktop computer with a browser configured for privacy.

Notes and References

  1. Emma Roth. “An investigation exposes data brokers using ads to help track almost any phone.” The Verge. October 23, 2024. 

  2. Brian Krebs. “The Global Surveillance Free-for-All in Mobile Ad Data.” Krebs on Security. October 23, 2024. 

  3. Corin Faife, Russell Brandom, Nicole Wetsman, and Mary Beth Griggs. “The biggest privacy risks in post-Roe America.” The Verge. June 27, 2022. 

  4. Joseph Turow. The Aisles Have Eyes: How Retailers Track Your Shopping, Strip Your Privacy, and Define Your Power. New Haven, CT: Yale University Press. 2017. 

  5. Michael Kwet. “In Stores, Secret Surveillance Tracks Your Every Move.” The New York Times. June 14, 2019. 

  6. Ashkan Soltani. Privacy trade-offs in retail tracking. Federal Trade Commission. April 30, 2015. 

  7. GrapheneOS

  8. LineageOS

  9. Features overview: Sandboxed Google Play. GrapheneOS. 

  10. F-Droid

Cameras

Pervasive Tracking
Televisions
Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.